MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

19.4.10

A new wave of domain scam employed by the IRS ZeuS ahead. So far we have detected only a few, but we believe that in the coming hours will begin to appear much more in the crime scene of this old strategy used by ZeuS.

The domains, as usual, have the following structure:

irs.gov.rewsserr.eu/fraud.applications/application/statement.php

From where you try to download the binary ZeuS under the name tax-statement.exe (6898fb162ceaf75a7f3690d51b0e8967): 36/40 (90.00%)

Updated 20.02.2010ZeuS creators have launched a new campaign of infection using as cover a false notification purportedly issued by the IRS (Internal Revenue Service) U.S.; through which spreads a variant of the trojan (MD5:14FBCE4A3F67E46B18308AC6824B2A00) responsible for recruiting zombies . It has a high detection rate.

In addition, the page's source code, is injected iframe label associated with the address hxxp://109.95.114.251/usa50/in.php, provoking an attack of Drive-by-Download.

Original 14.02.2010Last year (2009) met several Scam propagated as a strategy of attack by ZeuS, alluding to the IRS (Internal Revenue Service), an agency under the Department of the Treasury of the United States, by which it disseminates a variant of the trojan family of ZeuS.

Today, this same strategy is being actively exploited in another campaign of domains registered with false names similar to the actual page from the IRS, which spread a new trojan variant of ZeuS, where it's clear that the aim is to recruit zombies enabling its extensive network to increase . Here we can see a screenshot of the new Scam.

The message response to an alleged tax attached to it, and that according to the same message must be downloaded and run to visualize the statement.

In this facet of the deception, download a binary called tax-statement.exe(9F0F75BA042B3CB0471749EC2416945B) which has a very acceptable level of detection by antivirus engines, being detected by 37 of 40.

ZeuS presents a wide range of domain names according to their propagation strategies, and throughout his term under the nomination "In-the-Wild" were many known and used strategies to obtain financial information of all kinds computers victims.

Undoubtedly, ZeuS is the "creme de la creme" of crimeware of his style.